Monday, December 12, 2016

Tales of spoofing on BSD based kernels (actually Darwin).Although OSX setups should mostly be targets of spoofedpackets, there are times when you need to spoof IPv6 packetsfrom a OSX box.Unlike with IPv4, there is no such thing as a IP_HDRINCLsocket option that lets you pass arbitrary IP headersto raw sockets. In fact, there are RFCs on the subject(RFC3542 and RFC 3493) and the authors put a lot of effortto specify on how certain flags and details may be modified,but the end of the story is that, in this way or another,its not possible to have a handy library function togenerically send a spoofed IPv6 packet on a raw socket on OSX.man 4 ip6 says:"Note: Since the checksum is always calculated by the kernel for an ICMPv6 socket, applications are not able to generate ICMPv6 packets with incorrect checksums (presumably for testing purposes) using this API."I like the presumably for testing purposes part most.So I had to eventually switch to packet sockets formy UDP6 sample of libusi++. Its a bit more work toset it up initially, but after that all the get/setof source addresses etc. work as expected.

Thanks to the inject function of libpcap, thats easyenough.Its probably not worth the effort to handle all thesocket options or ancillary data for raw IPv6 sockets just to achieve a goal that at the end still has some header-parts un-modifiable.I did not test it on OpenBSD or FreeBSD, but the manpagereads more or less the same, so I expect the same problemexists there too.